systems and methods for providing access to an information account stored in a central data repository. The information account is associated with a consumer and is subject to the consumer's control and management. consumer authentication information is input by the consumer in connection with a first request for access to the information account via a first web-site. Responsive to authentication of the consumer, a single sign-on feature may be activated for automatically managing subsequent authentications of the consumer so that the consumer will not be required to again input the consumer authentication information upon initiating a second request for access to the information account while interacting with a subsequent web-site that is configured to provide access to the information account upon authentication of the consumer. The single sign-on function may be deactivated upon the occurrence of a terminating event, such as the expiration of a time-out interval.
|
39. A system for providing access to an information account stored in a central data repository that is accessible via a distributed network, the information account containing consumer information elements that are changed by the consumer, the system comprising:
a client-side application configured for automatically managing authentication of the consumer at a network device so that the consumer will not be required to input the consumer authentication information upon initiating a request for access to the information account while interacting with a web-site that is configured to provide access to the information account upon authentication of the consumer, a first consumer information element of the information account comprising one or more name fields to identify the consumer, a second consumer information element of the information account comprising one or more geographic address fields associated with the consumer;
wherein the client-side application automatically manages authentication of the consumer by communicating with a host server to determine that a previous authentication of the consumer providing the consumer with access to the information account remains valid and to instruct the web-site to by-pass a sign-on interface that would otherwise prompt the consumer to input the consumer authentication information when the consumer initiates the request for access to the information account;
wherein the host server in response to the request for access to the information account, retrieves one or more consumer information elements from the information account by filtering data from the information account based on an identification of the web-site being accessed by the consumer; the host server sends the retrieved consumer information elements over the distributed electronic network to the client-side application;
wherein the client-side application parses the retrieved consumer information elements, and auto-populates input fields of a displayed web page file of the web-site being accessed by the consumer with the consumer information elements.
17. A computer-implemented method for accessing an information account stored in a central data repository that is accessible via a distributed network and is coupled to a host servers the information account containing consumer information elements that are changed by the consumer, the method comprising the steps of:
transmitting to a host server, over the distributed electronic network, a first request for access to the information account and consumer authentication information in response to the consumer inputting the consumer authentication information while interacting with a first web-site hosted by a vendor server;
receiving an acknowledgment indicating that the host server authenticated the consumer based on the consumer authentication information, thereby providing the consumer with access to the information account stored in the central data repository, a first consumer information element of the information account comprising one or more name fields to identify the consumer, a second consumer information element of the information account comprising one or more geographic address fields associated with the consumer;
in response to the acknowledgment, automatically managing subsequent authentications of the consumer with the host server so that the consumer will not be required to again input the consumer authentication information upon initiating a second request for access to the information account while interacting with a subsequent website that is configured to provide access to the information account upon authentication of the consumer;
in response to the first, second, and subsequent requests for access to the information account stored in the central data repository, retrieving one or more consumer information elements from the information account by filtering data from the information account based on identification of a web-site being accessed by the consumer;
sending the retrieved consumer information elements over the distributed electric network;
parsing the retrieved consumer information elements; and
auto-populating input fields of a displayed web nale file of the web-site being accessed by the consumer with the consumer information elements.
1. A computer-implemented method for providing access to an information account stored in a central data repository that is accessible via a distributed network and is coupled to a database management system the information account containing consumer information elements that are changed by the consumer, the method comprising the steps of:
receiving, over the distributed electronic network, a first request from a network device for access to the information account and consumer authentication information in response to the consumer inputting the consumer authentication information while interacting with a first web-site;
in response to the request, authenticating the consumer with the database management system based on the consumer authentication information, thereby providing the consumer with access to the information account stored in the central data repository, a first consumer information element of the information account comprising one or more name fields to identify the consumer, a second consumer information element of the information account comprising one or more geographic address fields associated with the consumer;
in response to authenticating the consumer, automatically managing subsequent authentications of the consumer with the database management system so that the consumer will not be required to again input the consumer authentication information upon initiating a second request for access to the information account while interacting with a subsequent web-site that is configured to provide access to the information account upon authentication of the consumer;
in response to the first, second, and subsequent requests for access to the information account stored in the central data repository, retrieving one or more consumer information element from the information account by filtering data from the information account with the database management system based on an identification of a web-site being accessed by the consumer;
sending the retrieved consumer information elements over the distributed electronic network;
parsing the retrieved consumer information elements; and
auto-populating input fields of a displayed web page file of the web-site being accessed by the consumer with the consumer information elements.
27. A system storing, managing and distributing consumer information via a distributed network, comprising:
a central data repository accessible via the distributed electronic network for storing an information account, the information account containing consumer information elements that are changed by the consumer, a first consumer information element of the information account comprising one or more name fields to identify the consumer, a second consumer information element of the information account comprising one or more geographic address fields associated with the consumer; and
a host server for communicating with the central data repository and with a network device via the distributed electronic network and for executing computer-executable instructions for:
receiving with the host server, over the distributed electronic network, a first request from the network device for access to the information account and consumer authentication information in response to the consumer manually inputting the consume authentication information while interacting with a first web-site;
in response to the request, authenticating the consumer with the host server based on the consumer authentication information, thereby providing the consumer with access to the information account stored in the central data repository;
in response to authenticating the consumer, automatically managing subsequent authentications of the consumer with the host server so that the consumer will not be required to again input the consumer authentication information upon initiating a second request for access to the information account while interacting with a subsequent web-site that is configured to provide access to the information account upon authentication of the consumer;
in response to the first, second, and subsequent requests for access to the information account stored in the central data repository, retrieving one or more consumer information elements from the information account with the host server by filtering data from the information account with the database management system based on an identification of a web-site being accessed be the consumer;
sending the retrieved consumer information elements over the distributed electronic network;
parsing the retrieved consumer information elements; and
auto-populating input fields of a displayed web page file of the web-site being accessed by the consumer with the consumer information elements.
2. The method of
3. The method of
4. The method of
5. The method of
wherein the timeout interval is considered to have expired if a difference between a current time and a time of the previous authentication is greater than the determined duration of time.
6. The method of
7. The method of
wherein the single sign-on function is implemented by one or more temporary client-side applications.
8. The method of
9. The method of
10. The method of
11. The method of
allowing the consumer to interact with the browser in order to edit the selected consumer information elements, if desired, and to submit the web page file to the vendor server for processing of the selected consumer information elements.
12. The method of
13. The method of
wherein automatically managing subsequent authentications of the consumer comprises recording in the authentication table in association with the consumer authentication information and the first-determined equipment identifier an indication that a single sign-on feature is activated.
14. The method of
receiving from the network device a second-determined equipment identifier in response to the consumer initiating a second request for access to the information account;
in response to receiving the second-determined equipment identifier, consulting the authentication table based on the second-determined equipment identifier and determining that the second-determined equipment identifier matches the first-determined equipment identifier, based on the first-determined equipment identifier, determining from the authentication table that the single sign-on feature is activated; and
transmitting to the network device a message to cause a sign-on interface that would prompt the consumer to input the consumer authentication information to be bypassed.
15. The method of
recording in the authentication table in association with the consumer authentication information and the first-determined equipment identifier, a time at which the consumer was authenticated to access the information account;
in response to determining that the single sign-on feature is activated, determining from the authentication table the time at which the consumer was authenticated; and
prior to transmitting the message to by-pass the sign-on interface, determining that a difference between a current time and the dime at which the consumer was authenticated is not less than a time out interval.
16. The method of
18. The method of
wherein the first web-site includes an instruction that causes the browser to download from the host server one or more client-side applications configured for automatically managing subsequent authentications of the consumer.
19. The method of
determining a plurality of selected consumer information elements that are to be input into input fields of the first web-site;
transmit to the host server a request for retrieval of the selected consumer information elements; and
in response to receiving the selected consumer information elements from the host server, auto-populating the selected consumer information elements into the input fields of the first web-site.
20. The method of
wherein automatically managing subsequent authentications of the consumer comprises: determining a first-determined equipment identifier that uniquely identifies the network device and transmitting the first-determined equipment identifier to the host server for storage in an authentication table in association with the consumer authentication information,
in response to the consumer initiating a second request for access to the information account, determining a second-determined equipment identifier and transmitting the second-determined equipment identifier to the host server, wherein the host server consults the authentication table based on the second-determined equipment identifier to determine that the second-determined equipment identifier matches the first-determined equipment identifier and, by association, that the consumer has previously been authenticated and that a single sign-on feature is activated, and
receiving from the host server a message to cause the subsequent website to by-pass a sign-on interface that would otherwise prompt the consumer to input the consumer authentication information.
21. The method of
22. The method of
23. The method of
24. The method of
25. The method of
wherein the time-out interval is considered to have expired if a difference between a current time and a time of the previous authentication is greater than the determined duration of time.
26. The method of
28. The system of
29. The system of
30. The system of
31. The system of
wherein the time-out interval is considered to have expired if a difference between a current time and a time of the previous authentication is greater than the determined duration of time.
32. The system of
33. The system of
wherein the host server further comprises a memory for storing one or more client-side applications configured to manage communications with the host server and to automatically manage subsequent authentications of the consumer on behalf of the client device; and wherein the host server executes further computer-executable instructions for transmitting to the client device said one or more client-side applications prior to receiving the first request for access to the information account.
34. The system of
35. The system of
36. The system of
receiving from the network device a first-determined equipment identifier that uniquely identifies the network device and storing the first-determined equipment identifier in an authentication table in association with the consumer authentication information; and
wherein automatically managing subsequent authentications of the consumer comprises recording in the authentication table in association with the consumer authentication information and the first-determined equipment identifier an indication that the single sign-on function is activated.
37. The system of
receiving from the network device a second-determined equipment identifier in response to the consumer initiating a second request for access to the information account;
in response to receiving the second-determined equipment identifier, consulting the authentication table based on the second-determined equipment identifier and determining that the second-determined equipment identifier matches the first-determined equipment identifier;
based on the first-determined equipment identifier, determining from the authentication table that the single sign-on function is activated; and
transmitting to the network device a message to cause a sign-on interface that would prompt the consumer to input the consumer authentication information to be by-passed.
38. The system of
recording in the authentication table in association with the consumer authentication information and the first-determined equipment identifier, a time at which the consumer was authenticated to access the information account;
in response to determining that the single sign-on function is activated, determining from the authentication table the time at which the consumer was authenticated; and
prior to transmitting the message to by-pass the sign-on interface, determining that a difference between a current time and the time at which the consumer was authenticated is not less than a time out interval.
40. The propagated signal of
41. The propagated signal of
42. The propagated signal of
wherein the time-out interval is considered to have expired if a difference between a current time and a time of the previous authentication is greater than the determined duration of time.
43. The propagated signal of
44. The propagated signal of
wherein, response to receiving the equipment identifier, the host server determines that the previous authentication of the consumer remains valid by consulting an authentication table to determine that the equipment identifier matches a previously-stored equipment identifier, that an indication that a single sign-on feature is activated is stored in association with the previously-stored equipment identifier and that a terminating event has not occurred; and
wherein, in response to determining that the previous authentication of the consumer remains valid, the host server transmits to the client-side application a message to cause the web-site to by-pass a sign-on interface that would prompt the consumer to input the consumer authentication information.
45. The propagated signal of
46. The propagated signal of
allowing the consumer to interact with the browser in order to edit the selected consumer information elements, if desired, and to submit the web page file to the vendor server for processing of the selected consumer information elements.
47. The propagated signal of
|
The present application is a continuation-in-part of U.S. application Ser. No. 09/933,567 filed on Aug. 20, 2001, which claims the benefit of U.S. Provisional Patent Application Ser. No. 60/238,847 filed Oct. 6, 2000, which is hereby incorporated by reference as if set forth fully herein, and is further a continuation-in-part of each of the following co-pending applications, all of which are hereby incorporated by reference as if set forth fully herein;
The field of the present invention relates generally to systems and methods for the storage, management, and delivery of user or consumer information on or over a network. More particularly, the present invention relates to systems and methods for providing access to user or consumer information from various endpoints on or over a network.
As information technology and network technology become more prolific, people find themselves repeatedly and manually inputting the same data into different computer systems. For example, consumers may find themselves having to manually input their personal and billing information via each vendor website through which they choose to complete an electronic commerce (“e-commerce”) or mobile commerce (“m-commerce”) transaction. As the number of secure websites grows, consumers also find themselves having to manage numerous usernames and passwords. Thus, there is a need for a convenient and secure system for automating the management of consumer information.
Automated or partially automated solutions for managing information historically have largely been localized processes. Using conventional techniques, users are able to create and store data files containing personal information on their personal computers or other client devices, such as personal digital assistants (“PDAs”), pagers, mobile telephones, etc. The data elements in such data files can be shared using specialized applications for filtering data out of the data file and into another application. However, such systems typically require a permanent download of proprietary data management software that might not be compatible among different devices. In addition, the data management software and data files are often stored on only a single personal computer or computerized device. If the personal computer or other computerized device becomes lost or stolen, the user's data may no longer be accessible, and might end up in the possession of another person. If the personal computer or other computerized device crashes, the data can easily be lost.
From the perspective of providers, such as vendors of on-line products or services, it can be valuable to have access to consumer information in order to, for example, facilitate e-commerce or m-commerce transactions, or else to better understand consumers or communicate with them about products or services in which they might be interested. However, consumers are often reluctant to provide their personal information, often in part due to concerns over security of the information. Also, consumers may not want to take the time to re-enter their personal information at different on-line provider sites. Providers of on-ine products or services may therefore benefit from a mechanism which entices consumers to provide their personal information by minimizing the burden on consumers when conducting on-line transactions requiring personal information and by allowing consumers to retain control over the type and amount of information that is released to the provider.
Accordingly, there remains a need for a more secure, flexible and convenient system for storing information and a method for allowing the user to manage and distribute that information using a personal computer or other network-connected device. There further remains a need for such a system and method that provides central information storage and does not require a permanent download of proprietary software to a client device for management and distribution of the information. There is a need for a mechanism which encourages consumers to provide their personal information to providers of on-line products or services. Additionally, to facilitate the use of such a system, there is a need for a mechanism that provides consumers a method to conveniently and securely move to various web-sites without the need to repeatedly supply authentication information, such as username and password, etc.
According to certain aspects of the invention, a first request for access to the information account may be received by a host server from a network device. The host server may also receive authentication information from the network device in response to the consumer inputting the consumer authentication information while interacting with a first web-site. In response to receiving the consumer authentication information, the host server may authenticate the consumer, thereby allowing the consumer to access the information account. Then, the host server may communicate with the network device to automatically manage subsequent authentications of the consumer so that the consumer will not be required to again input the consumer authentication information upon initiating a second request for access to the information account while interacting with a subsequent web-site that is configured to provide access to the information account upon authentication of the consumer.
The consumer may input a command for activating the single sign-on feature, i.e., the automatic management of subsequent authentications of the consumer. The single sign-on feature may involve determining that a previous authentication of the consumer for access to the information account remains valid and to instructing the subsequent web-site to by-pass a sign-on interface that would prompt the consumer to input the consumer authentication information when the consumer initiates the second request for access to the information account.
In response to the first request for access to the information account, the network device may determine a first-determined equipment identifier that uniquely identifies the network device. The first-determined equipment identifier may be transmitted to the host server for storage in an authentication table in association with the consumer authentication information. The time of the sign-on may also be stored in the authentication table in association with the consumer authentication information. The host server may begin execution of the single sign-on feature by recording in the authentication table in association with the consumer authentication information and the first-determined equipment identifier an indication that the single sign-on feature is activated.
In response to the consumer initiating a second request for access to the information account, the network device may transmit to the host server a second-determined equipment identifier. In response to receiving the second-determined equipment identifier, the host server may consult the authentication table to determine whether the second-determined equipment identifier matches the first-determined equipment identifier. If so, the host server may determine from the authentication table whether the single sign-on feature is activated. If the single sign-on feature is activated, the host server may transmit to the network device a message that causes any sign-on interface associated with the information account to be by-passed. Prior to transmitting the message for by-passing the sign-on interface, the host server may determine whether a difference between a current time and the time at which the consumer was previously authenticated is not less than a time out interval or whether some other terminating event has occurred. If a terminating event has occurred, the message for by-passing the sign-on interface may not be sent.
Additional embodiments, examples, variations and modifications are also disclosed herein.
In one or more embodiments, a system and method are provided for enabling consumers to store and maintain a comprehensive information profile (hereinafter “information account”) in a centralized data repository that is accessible over a distributed electronic network, such as the Internet. The information account may be used to store any type of data desired by the consumer, including, for example, demographic information, financial information, medical information, family information, contact information, documents, image files, multimedia files, etc. The centralized data repository is preferably accessible via a network by any authorized network device. In various embodiments, no specialized application programs are required to be permanently downloaded to the consumer's network device in order to access the information account.
According to certain embodiments, at the consumer's direction, selected information in the information account may be accessed and, if desired, shared with authorized vendors, business partners or any other entity that requires certain of the consumer's information. The terms “vendor” and “business partner” are used herein in a general sense to refer to persons, businesses, enterprises or entities that make products or services available to consumers. As used herein, the terms “consumer,” “buyer,” and “user” are interchangeable.
Server-side software or temporary client-side software may, in some embodiments, be used to manage communications with the information account and to automatically integrate that consumer information into a process executed by a network device. As an example, the network device may execute a business process relating to a consumer-initiated activity, such as a retail transaction. The server-side software or temporary client-side software may receive consumer information from the information account and use that information to automatically populate the input fields of a form or the input requirements of a process that is to be submitted to a vendor's server or other network device during an application, registration or transaction process.
The data in the information account is preferably stored using a tagged data format. In one embodiment, the data in the information account may be stored using the extensible Markup Language (“XML”) data format, which is an open standard for describing data from the World Wide Web Consortium (“W3C”). As is known in the art, XML tags are used to define the types of information that are represented by the data element. The XML standard provides a great deal of flexibility in that custom tags may be defined for any type of information that the consumer may desire to store in the information account. Using any well-known XML-related querying, parsing, transforming and/or filtering techniques, individual data elements in the information account may be accessed, updated, deleted, created, or otherwise manipulated.
The information account may be structured as one or more data aggregates, e.g., XML data aggregates. An entire XML data aggregate is stored within a data field of a database table. This data field is a long text field containing all of the information associated with the given record. In one embodiment, all consumer information in the information account may be stored in a single XML data aggregate comprising consumer information elements and sub-elements. Attributes may also be associated with any element and sub-element in order to provide additional information. A transformation or filtering mechanism, such as “Style Sheets,” may be applied to the single XML data stream in order to extract only selected data elements therefrom at the direction of the consumer.
In an alternative embodiment, the information account may be normalized into a plurality of discrete data aggregates, each aggregate representing a predetermined “information product.” An information product refers to a package of consumer information relating to, for example, a specific product or service offered by a vendor or that is important to vendors with similar consumer information needs. For example, a mortgage information product might contain all consumer information that would be required to complete a lender's mortgage application. Individual information products may be retrieved from the information account and transmitted to authorized vendors at the request of the consumer.
Access constraints may be utilized in one or more embodiments as described herein to allow for the establishment of “exchanges.” An exchange generally refers to a group of entities that are authorized to accept consumer information from the information account at the request of the consumer. The information account may be accessed for retrieval of information to be used in commerce with any vendor or entity that is a member of the exchange. In much the same way that a consumer may have several different credit cards or debit cards that are each accepted only by certain merchants, the consumer may have several information accounts that are each valid only on specified exchanges.
Exchanges may be implemented, for example, through “inflow” and/or “outflow” constraints imposed by the exchanges. An inflow constraint imposed by an exchange may, for example, dictate that only information accounts associated with specific other exchanges will be accepted or that no information accounts associated with other exchanges will be accepted. An outflow constraint may dictate that information accounts associated with an exchange may only be used within that exchange and within no other exchanges. Various business situations and partnerships may drive the implementation of inflow and outflow constraints. Revenue sharing models may be established in order to provide financial incentives to exchanges and/or individual vendors that facilitate the creation of an information account or the use of an information account to complete a transaction.
Exemplary embodiments will now be described with reference to the drawings, in which like numerals represent like elements throughout the several figures. A high-level block diagram of a system in accordance with an exemplary embodiment is shown in and described with reference to
In the system illustrated in
A network device may generally comprise any device that is capable of communicating with the resources of the network 106. A network device may comprise, for example, a network server 108 & 114, a client device 104, a wireless client device 104a or a dedicated storage device (e.g., the central data repository 102.) In the embodiment shown in
A client device 104 may comprise a desktop computer, a laptop computer and the like. A wireless client device 104a may comprise a personal digital assistant (PDA), a digital and/or cellular telephone or pager, a handheld computer, or any other mobile device. These and other types of client devices 104 & 104a will be apparent to one of ordinary skill in the art. For convenience, the following explanation will be made with reference to a client device 104 generically, but, unless otherwise indicated, it will be understood that the principles and concepts described will also encompass wired or wireless devices, such as wireless client device 104a illustrated in
According to a preferred embodiment, a client device 104 may execute a browser 112 or another suitable application for interacting with web page files 116 hosted by a vendor server 114 and other network devices. Through the graphical user interface provided by a displayed web page file 116, the vendor may require the consumer (i.e., the operator of the client device 104) to input certain information pertaining to or associated with the consumer. According to certain embodiments, a consumer may be permitted to direct that the requested information be transmitted from the information account 110 to the client device 104 for processing. Although exemplary embodiments will be described herein in the context of a web-based environment, those skilled in the art will appreciate that other environments are suitable as well.
The description of exemplary embodiments with reference to
In accordance with a preferred embodiment, the consumers may maintain sole responsibility for storing and updating the information in the information account 110. Only the consumer, or those authorized by the consumer, may use the information account 110 to complete e-commerce or m-commerce activities. Consumers create an information account 110 either through a website hosted by the host server 108 or a website hosted by a vendor server 114. For example, after manually completing a form displayed by a vendor's website, the consumer can choose to create an information account 110 and have the consumer information stored therein.
Upon creation of an information account 110, a consumer may be given an identification number, a username and/or a password. Other types of consumer authentication information are known in the art and may also be used in the context of the present invention. The system of
A web page file 116 displayed by the browser 112 may include input fields for the input of consumer information. The web page file 116 may also include an instruction (e.g., a “call”) that causes the browser 112 to download and execute a client-side application 105. JAVA applets are well known client-side applications and are particularly suited for use in various embodiments due to their platform-independent nature. However, any other type of client-side application may be used without departing from the spirit and scope of the present invention. The client-side application 105 resides in temporary memory storage of the client device 104, such as cache memory or the like, and may be removed from the client device 104 after its execution is complete. The client-side application 105 is specific to the browser session only and not to the client device 104. Multiple client-side applications 105 may be executed at the same time if multiple browser windows are executed by the client device 104. The client-side application 105 provides functionality for facilitating communications between the browser 112 executed by the client device 104 and the database management system (“DBMS”) 109 of the host server 108.
One responsibility of the client-side application 105 is to provide authentication information associated with the consumer and the vendor to the host server 108. Depending on the desired level of security within the system, authentication information may comprise a username, user ID, password, key, certificate and the like. Authentication information regarding the vendor may be embedded within the web page file 116 for extraction by the client-side application 105. Alternatively, the client-side application 105 may communicate with the vendor server 114 to retrieve such vendor authentication information. Authentication information regarding the consumer may be supplied by the consumer via a user interface displayed by the client-side application 105 or by a displayed web-page file 116. Communications relating to authentication information may be accomplished using a secure transmission protocol or handshake, such as the secure shell BSD, Point to Point Tunneling Protocol (PPTP), also commonly know as Virtual Private Network, and/or secure socket layering (SSL) protocol. Other methods for achieving a secure connection over the network 106 will be apparent to those of ordinary skill in the art. Authentication information may also be encrypted and transmitted over an open network using any appropriate protocol.
The client-side application 105 is also responsible for determining the type of consumer information that is required by the input fields of the displayed web page file 116. After determining the type of consumer information that is required, the client-side application 105 may formulate a database query in a language that is understood by the DBMS 109. At a minimum, client-side application 105 communicates enough information to the DBMS 109 regarding the required consumer information so that the DBMS can formulate a database query. In one embodiment, the DBMS 109 exposes an application program interface (“API”) that can be utilized by the client-side application 105. An example of one such API is known as the Simple Object Access Protocol (“SOAP”). SOAP is a protocol that provides for interoperability between heterogeneous HTTP-based software and XML-based software. SOAP provides access to services, objects, and servers in a platform-independent manner. Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, SOAP endpoints may usually be invoked from either side of a firewall.
The client-side application 105 may transmit the database query (or information to form the database query) to the host server 108 along with the above-mentioned authentication information over a secure connection. In such a scenario, the authentication information and the query information may be passed to the DBMS 109. The DBMS 109 attempts to authenticate the vendor and the consumer using the authentication information and corresponding information that was previously stored in the data repository 102. If authentication is successful, the DBMS 109 queries the information account 110 using the appropriate database connectivity protocol, such as the Open Database Connectivity (“ODBC”) protocol, the Java Database Connectivity Protocol (“JDBC”), or any other suitable protocol.
As mentioned above, the data in the information account 110 may be encrypted. Thus, in response to the query, the DBMS 109 may receive an encrypted search result. The search result, for example, may be in the form of a stream of XML data that has been filtered from the information account. The DBMS 109 or other program module executed by the host server 108 may be responsible for decrypting the search result. The decrypted search results may then be transmitted to the client-side application 105 via the previously established or a new secure connection.
In the alternative, the client-side application 105 may manage authentication and querying as separate processes. As an example, authentication may be handled using a secure connection as described above. Upon acknowledgment of authentication, the secure connection may be closed and the query process may be handled using open network communication protocols. In response to the query, the encrypted search result may be transmitted to the client-side application 105 over the open network and the client-side application 105 may be responsible for decryption.
The client-side application 105 may also be responsible for parsing the data elements included in the search result and auto-populating the parsed data into the input fields of the displayed web page file 116. Again, the client-side application 105 may translate the XML data into HTTP data using SOAP or another suitable protocol. Those skilled in the art will appreciate that in certain embodiments, especially where user verification of the consumer information is not required, the client-side application 105 may transmit the consumer information directly to the vendor server 114 without populating the consumer information into the displayed web page file 116. If the input fields are auto-populated, the consumer has the opportunity to verify the information displayed in the input fields, make any necessary modifications, and then interact with the displayed web page file 116 to submit the information to the vendor server 114. Any modifications to the consumer information that are made by the consumer may be detected by the client-side application 105, which may then transmit the modified data back to the host server 108 for an appropriate update of the information account 110. In addition, the client-side application 105 may determine whether the consumer inputs new data into the input fields, and if so, transmit that new information to the host server 108 for storage in the data repository 102. The consumer may interact with the displayed web page file 116 to submit the consumer information to the vendor server 114. The vendor server 114 may then process the consumer information, as needed, by way of a processing module.
In an alternative embodiment, a server-side application 107 may be employed instead of a client-side application 105 to manage communications with the host server 108. An authorized server-side application 107 may receive consumer information directly from the host server 108 and present that consumer information to the client device 104 (e.g., via the browser 112) for display to the consumer. A web page file 116 hosted by the vendor server 114 may be accessed and displayed by the browser 112 of the client device 104. The displayed web page file 116 may present a user interface for input of consumer authentication information. In a preferred embodiment, the consumer authentication information is transmitted from the client device 104 to the host server 108 for authentication of the consumer. In addition, the client device 104 may also transmit a request that a “ticket” be provided to the vendor server 114.
As used herein, the term “ticket” refers to a temporary authorization—for at least partial access to a consumer's information account 110. Although not shown in the figure, an information account 110 may be associated with a data table or other data structure that correlates one or more tickets with a set of consumer-defined attributes. The consumer-defined attributes may determine such things as the number of times that the password may be used to access the information account 110 (e.g., one-time use), any period of validity associated with the ticket (e.g., ticket expires one week from issuance), whether the ticket carries read, write and/or modify privileges, etc. The ticket attributes may also include any number of identifiers, such as a vendor identifier, a data identifier, and filter identifiers, which may be used to ensure that the party using the ticket is in fact authorized to do so, and to ensure that only authorized data is filtered for release to that party.
Upon authenticating the consumer, for example by using standard browser authentication techniques, the host server 108 may redirect the browser 112 of the client device 104 to another web page data file 116 (e.g., another web page data file 116 hosted by of the vendor server 114), including the ticket as a parameter in the URL. In response to detecting the ticket, the vendor server may extract the ticket and pass it to the server-side application 107. The server-side application 107 may then use the ticket to authenticate itself to the host server 108, for example using SOAP or another suitable protocol.
In accordance with one embodiment as described herein, a ticket generated by the host server 108 may be a “Globally Unique Identifier” (“GUID”). A GUID preferably comprises a unique number that is computed by adding the time and date to a network adapter's internal serial number, or by any other suitable technique. The ticket may be encrypted. For example, the ticket may be encrypted using the vendor's public key and the resulting binary encrypted blob may be base 64 encoded so that it can be included as a parameter in a URL. At the vendor server 114, the parameter may be extracted from the URL, base 64 decoded and then decrypted using the vendor's private key. Other encryption techniques may also be used.
In an alternative embodiment, consumer authentication information may be submitted from the client device 104 to the server-side application 107 at the vendor server 114. The server-side application 107 may then transmit the consumer authentication information and vendor authentication information to the host server 108 for authentication of both the consumer and the vendor. The consumer authentication information may be encrypted at the client device 104 and decrypted only at the host server 108. Such an embodiment, however, places a significant amount of control over the consumer's data in the hands of the vendor, and thus may not be preferable.
The server-side application may be identified by an application identifier (“APPID”). The APPID may be associated at the host server 108 (e.g., by the DBMS 109) with a particular filtering mechanism. As mentioned, style sheets are well-known and highly suitable filtering tools for use in conjunction with XML data. In response to authenticating the server-side application 107 and identifying the appropriate filter, consumer information may be filtered from the information account 110 and transmitted back to the server-side application 107. The server-side application 107 may then parse the consumer information, for example, in order to auto-populate a form, which may or may not have been previously displayed to the consumer.
As in the case of the client-side application 105, the server-side application 107 may receive decrypted consumer information from the host server 108 via a secure connection, or may receive encrypted consumer information via the open network. Thus, the server-side application 107 may be configured to perform decryption as necessary. The consumer information thus received from the host server 108 may be presented to the consumer for verification. Any modifications or additions made to the consumer information may be submitted back to the server-side application 107 for communication to the host server 108. The DBMS 109 may then update and/or create the information account 110 in the appropriate manner. The consumer may interact with the displayed web page file 116 to submit the consumer information to the vendor server 114. The vendor server 114 may then process the consumer information, as needed, by way of a processing module.
Those skilled in the art will appreciate that the illustration and discussion of exemplary embodiments with reference to
A consumer information element 202 may comprise any type of data or information, including text strings, objects, files, applications, etc. Obviously, the more consumer information that is stored in the information account 110, the larger the XML data stream will be. The size of the XML data stream is limited only by the hardware and software limitations of the system (e.g., memory size, processor speed, bandwidth, etc).
An information account 110 is preferably unique to a single customer. Each information account 110 stored in the data repository 102 may thus comprise a discrete XML data stream. Each information account 110 stored in the data repository 102 may be individually encrypted. For example, one method for encrypting an information account 110 may involve use of the consumer's public key. Accordingly, only someone having access to the consumer's private key will be able to decrypt the consumer's information. Many other and/or additional methods for encrypting information accounts 110 and/or the entire data repository 102 will occur to those skilled in the art.
Although not shown in
The number of aggregates or records included within the information account 110 of a given consumer depends upon the number of information products for which the consumer has elected to store information. For example, a consumer who has elected to store information about two separate products, such as a car loan and a mortgage loan, would have at least three data aggregates in his information account 110. One such data aggregate would represent the primary profile record and each of the two other data aggregates would include information about one of the information products. Data aggregates may include but are not limited to the following information products: Home Loan, Auto Loan, Student Loan, Home Insurance, Auto Insurance, Life Insurance, Online Banking, Credit Card, Government Services, Education, Career, Travel, Retail, and Relocation. If a consumer creates or updates an information account via a vendor's web site and thereby inputs information regarding a new product, a new product record 302b–c will be created in the information account. Each product record 302b–c created for the consumer is of course associated with the primary profile record 302a.
If an information account 110 is segmented into multiple discrete data aggregates, there may be a need for maintaining consistency among redundant data elements stored in multiple information products. “Latent referential processing” is one method for maintaining data consistency, and in this context refers to the use of a series of pointers or references to flag data that is redundant across multiple products. According to latent referential processing, when a record 302a–c is created or updated, redundant information elements that are stored in other data aggregates typically are not also updated until the next time the information account is accessed. For example, if salary information is updated in a home loan information product record, redundant salary information in the consumer's auto loan information product record will generally not be immediately updated. Thus, latent referential processing allows data inconsistencies to exist within the information account after an update.
As is shown and described with reference to
In another embodiment, redundancy and consistency concerns are addressed by normalizing the data aggregates of the information account 110 to the extent possible. For example, an information account 110 may be configured such that the consumer's profile record 302a stores the majority of the consumer's personal information. The profile record 302a may comprise predefined data elements, such as “first name,” “middle name,” “last name,” “date of birth,” etc. The profile aggregate 302a may also be expanded to include any additional and/or custom fields. Additional aggregates corresponding to information products 302c may contain pointers 306 to the data fields within the profile aggregate 302a. Thus, the information account 110 may be configured to store within one aggregate a single instance of an information element that is referenced by other aggregates. As information product aggregates 302c are formed independently of the profile aggregate 302a, data elements that are not unique to those information product aggregates 302c may be ported into the profile aggregate 302a if desired.
The profile record 302a and each information product record 302b–c may further be associated with a transaction log record 406. Each time the profile record 302a or an information product record 302b–c is acted upon, detailed transaction information 408 may be recorded in a new transaction log record 406 (not to be confused with the above-mentioned time stamp log.) Transaction information 408 may provide the basis for all transaction billing and revenue sharing events. By way of example only, the transaction record 406 may identify the vendor server through which the information account 110 was created. The transaction record 406 may also identify the vendor server through which a transaction was completed using the information account 110.
As used herein, the term “transaction” refers broadly to any activity related to an information account, including, but not limited to a create transaction, delete transaction, update transaction, authentication transaction, a request for information from authorized vendors, a client device and/or vendor server 114 request, a publishing and form filling transaction, and a submit transaction where the information account 110 is processed into the requesting vendors systems. A portion of any monies billed upon completion of a transaction may be shared with each of the vendor servers identified in the transaction record 406.
The generalized interaction diagram begins at step 501, where the consumer operates a browser 112 to retrieve a web page file 116 from the vendor server 114 via the network 106, using a consumer browser. The web page file 116 retrieved from the vendor server 114 may be enabled for interaction with the consumer's information account 110 and may thus include an instruction that causes the browser 112 to download a client-side application from the host server 108. At step 502, the client-side application is downloaded from the host server 108 to the browser 112. At step 504, the consumer interacts with the browser 112 to request use of the information account 110, which in this example has already been created. The web page file 116 may display a selectable icon or other indicia that allows the consumer to request use of the information account 110. Alternatively, the client-side application 105 may provide the interface for requesting use of the information account 110.
Next at step 506, the client-side application 105 displays a login interface to the consumer. The login interface may be displayed, for example, in the open display window of the browser 112, in a pop-up window, or in any other suitable manner. At step 508 the consumer inputs consumer authentication information, which is transferred from the browser to the client-side application 105. Consumer authentication information may comprise, for example, a username, user ID, password, challenge phrase, email address, etc. At step 510, the user authentication information is combined with vendor authentication information and is sent to the DBMS 109. Vendor authentication information may comprise a vendor ID, password, product IP, application ID, and the like. Vendor authentication information may be used to authenticate the vendor and to determine the manner in which consumer information is to be filtered from the information account 110.
After the DBMS 109 receives the authentication information, it submits an authentication request to the data repository 102 at step 512. The authentication request may be a database query to determine if the supplied consumer authentication information and vendor authentication information are consistent with previously stored authentication information. In response to authenticating the consumer and the vendor, the DBMS 109 performs one or more database queries at step 514 to retrieve consumer information elements from the information account 110. Depending on the structure of the information account, the DBMS 109 may retrieve certain products (identified by product ID) from the information account 110, or may retrieve a set of data elements filtered according to a vendor ID or an application ID. If consumer information is retrieved according to products, an iterative lightweight transfer (“LWT”) process may be performed in order to get the best set of data elements for each new product ID. Lightweight transfer techniques are well-known in the art and generally involve the use of thin protocols and/or smart proxies that can cache results and perform buffered reads and writes, minimizing the number of network calls.
Once the DBMS 109 has retrieved the relevant consumer information, the consumer information elements may be merged (if appropriate) decrypted (if appropriate) and/or further filtered (if appropriate) at step 518. Then, at step 520, the resulting information elements are transmitted to the client-side application 105, for example in the form of an XML data stream. At step 522, the client-side application 105 parses the received XML data and transforms it into the required format for populating the input fields of the displayed web page file 116. The client-side application 105 then auto-populates the input fields of the displayed web-page file 116 at step 524. The consumer may interact with the browser 112 to edit or modify the auto-populated information at step 526. Because there may be multiple web page files 116 associated with the vendor website, steps 524 and 526 are repeated until all data has been auto-populated and/or edited on every included web page. The client-side application 105 monitors the edit process to determine if the consumer desires to modify and/or supplement any of the consumer information elements.
The consumer may then interact with the browser 112 at step 528 in order to submit the consumer information that has been entered into the displayed web page file(s) 116 to the vendor server 114. The vendor server 114 receives and processes the consumer information elements at step 530. After processing the consumer information, the vendor server 114 preferably transmits a “success page” or other acknowledgement to the consumer's browser 112 at step 532.
Either through a selectable icon or other indicia displayed on the success page or displayed by the client-side application 105, or any other interactive means, the consumer may interact with the browser 112 at step 534 to submit an update request to the DBMS 109. Update is an event whereby the information account 110 is updated to reflect any edits that the consumer may have made to the consumer information at step 526. Thus, a consumer is permitted to update the information account 110 via a vendor's website. As another option, the consumer may elect to update the information account 110 at a later time directly via the host server 108.
At step 536 the client-side application submits the consumer's XML data (possibly only the edited data) and the update request to the DBMS 109. Then at step 538 the update request is submitted to the data repository for authentication. In the authentication process, consumer authentication information, vendor authentication information and, if appropriate, product identification information (which are all included in the update request) are verified. Upon authentication of the update request, the XML data is validated at step 540 and the update is performed at step 542. The DBMS then sends the update result (success or failure) to the client-side application 105 at step 544, which in turn displays the update result to the browser 112 at step 546. The exemplary generalized interaction diagram then ends at step 548.
The exemplary embodiments discussed with reference to
The exemplary interaction diagram of
Next at step 608 the consumer interacts with the browser 112 in order to submit the consumer information to the vendor server 114. The vendor server 114 receives and processes the consumer information elements at step 610. After processing the consumer information, the vendor server 114 transmits a “success page” or other acknowledgement to the consumer's browser 112 at step 612. Either through a selectable icon or other indicia displayed on the success page or displayed by the client-side application 105, the consumer may interact with the browser 112 at step 614 to submit a request for creation of an information account 110 to the DBMS 109. Thus, the consumer may be permitted to create an information account 110 via a vendor's website. As another option, the consumer may elect to create an information account 110 at a later time directly via the host server 108.
At step 616 the client-side application submits the consumer's XML data and the create request to the host server 108. Then at step 618 the host server 108 transmits an information account creation interface to the browser 112. The consumer inputs consumer authentication information via the information account creation interface at step 622 and the browser 112 passes the create request (which may include the consumer authentication information, the vendor authentication information, etc.) to the client-side application 105 at step 624.
At step 626, the create request is combined with the consumer's XML data and is sent to the DBMS 109. In response to receiving the authentication information, the DBMS 109 submits an authentication request to the data repository 102 at step 628. The authentication request may be a database query to determine if the supplied consumer authentication information and vendor authentication information are consistent with previously stored authentication information. In response to authenticating the consumer and the vendor, the DBMS 109 validates the consumer's XML data at step 630 and creates a new information account 110 at step 632.
Once the information account has been created, the DBMS 109 sends the create result (success or failure) to the client-side application 105 at step 634, which in turn displays the create result to the browser 112 at step 636. At step 638, the host server 108 creates an acknowledgment email to be sent to the consumer's email account. At step 640, the host server requests and receives the consumer's email address from the DBMS 109. At step 642 the consumer's acknowledgment email is delivered to the consumer. The exemplary generalized interaction diagram then ends at step 644.
The generalized interaction diagram of
At step 708, the user authentication information is combined with vendor authentication and is sent to the DBMS 109. Vendor authentication information may comprise a vendor ID, password, product IP, application ID, and the like. Vendor authentication information may be used to authenticate the vendor and to determine the manner in which consumer information is to be filtered from the information account 110. After the DBMS 109 receives the authentication information, it submits an authentication request to the data repository 102 at step 710. In response to authenticating the consumer and the vendor, the DBMS 109 performs one or more database queries to retrieve consumer information elements from the information account 110. Depending on the structure of the information account, the DBMS 109 may retrieve certain products (identified by product ID) from the information account 110, or may retrieve a set of data elements filtered according to a vendor ID or an application ID. If consumer information is retrieved according to products, an iterative lightweight transfer (“LWT”) process may be performed at step 712 in order to get the best set of data elements for each new product ID. Otherwise, the consumer information elements are retrieved from the data repository 102 using appropriate filters at step 714.
Once the DBMS 109 has retrieved the relevant consumer information, the consumer information elements may be merged (if appropriate), decrypted (if appropriate) and/or further filtered (if appropriate) at step 716. Then, at step 718, the resulting information elements are transmitted to the vendor server 114, for example, in the form of an XML data stream. The vendor server 114 receives and processes the consumer information elements at step 720. After processing the consumer information, the vendor server 114 transmits a delivery receipt acknowledgment to the host server 108 at step 722. The host server 108 may then pass an acknowledgment (success or failure) to the consumer (e.g., to the wireless client device 104a or to another client device 104) at step 724. The exemplary generalized interaction diagram then ends at step 726.
As shown in
An exchange may comprise a logical grouping of servers or other network devices, and those skilled in the art will appreciate that there are a variety of suitable methods for implementing logical groupings of network devices on a distributed network. For example, an exchange identifier may be used to identify an exchange and may be associated with each network device that is a member of that exchange. In such an embodiment, look-up table of exchange identifiers may be maintained at the host server 108, within the central data repository 102 or at another suitable location and may be used to authenticate an exchange identifier used in connection with a request for access to an information account 110.
Exchanges 802A&B may be implemented, for example, through inflow and/or outflow constraints. An inflow constraint may, for example, dictate that only information accounts 110 associated with specific other exchanges will be accepted within an exchange or that no information accounts 110 associated with other exchanges will be accepted. An outflow constraint may dictate that information accounts 110 associated with an exchange may be used within that exchange and within no other exchanges (i.e., a private exchange), or within only selected other exchanges. Various business situations and partnerships may drive the implementation of inflow and outflow constraints.
In various embodiments, an information account 110 may be branded so as to be associated with a particular vendor or other entity, product or service. By way of example only, if a consumer creates an information account 110 via a website maintained on behalf of a particular vendor, e.g., “Vendor X,” the information account 110 may be branded as a “BrandX” information account 110X. A BrandX information account 110X may be stored in the central data repository in association with a BrandX identifier. BrandX logos or indicia may be displayed to the consumer when the consumer accesses the BrandX information account 110X. Thus, although Vendor X “sponsors” the BrandX information account 110X, the central data repository 102 that stores the BrandX information account 110X may be maintained by another entity.
An exchange 802A&B may be configured to accept one or more differently branded information accounts 110. This concept is similar to automated teller machine (ATM) networks, in which a customer of one bank may use his ATM card (e.g., debit or credit card) to conduct transactions at the ATM of another bank. Typically, an ATM card includes a number of logos (also referred to as “bugs”) that indicate the financial networks that will accept the ATM card. ATMs also display logos identifying the financial networks to which they are connected. Thus, a bank customer may have a Wachovia® ATM card that is accepted in all Honor and PLUS network ATMs. Similarly, the various vendor servers 114 that make up a particular exchange may include logos or other indicia indicating the brands of information accounts 110 that will be accepted.
With reference to
The displayed web page file 116Y may thus display one or more brand logos 904 indicating the accepted brands of information accounts. The displayed web page file 116Y may also display one or more exchange logos 906 indicating the exchanges of which the vendor server 114Y is a member. In addition, the displayed web page file 116Y may display an access/create link 908 for allowing a consumer to access or create a Brand Y information account 110Y. The displayed web page file 116Y of
When used in the context of a private exchange (e.g., an exchange that does not accept foreign information accounts 110) an information account may take the form of a “private” branded information account 110. As an example, if Vendor X establishes a private Exchange A 802A that offers a variety of financial services, a BrandX information account 110×may be established for consumers who participate in the private exchange. The BrandX information account 110×may be configured to store information that is relevant to the financial services offered by Vendor X. If appropriate outflow constraints are established, the BrandX information account 110X may be accepted only within private Exchange A 802A. Again, Vendor X may facilitate or otherwise sponsor the creation of the BrandX information account 110X, while another entity may server as the custodian of the data repository 102 for storing the BrandX information account 110X and provide the underlying information technology.
If private Exchange A 802A is not subject to outflow constraints, a BrandX information account 110X may also be accessed at websites hosted by or on behalf of other vendors, such as Vendor Y and/or Vendor Z. Consequently, an on-line form associated with Vendor Y web page files 116Y or Vendor Z web page files 116Z may automatically be populated based on information elements originating from the BrandX information account 110X. Similarly, if Exchange A 802A is subject to appropriate inflow constraints, a Brand Y information account 110Y and a Brand Z information account 110Z may also be used at any website hosted by a vendor server 114X that is a member of the Exchange A 802A. In general, any number of vendors or other entities may participate in an exchange.
Various licensing arrangements and revenue sharing agreements may be established between the custodian of the data repository 102 and the vendors that configure their vendor servers 114 for interaction with information accounts 110. In particular, the custodian may choose to implement revenue sharing models in order to provide vendors with an incentive to promote and facilitate the creation and use of information accounts 110. The custodian may earn revenues in exchange for the service of providing access to information accounts 110 for completion of transactions. For example, the custodian may be paid a per transaction commission by the requesting exchange or vendor each time an information account 110 is used by a consumer to quickly fill out a form or other document for completing a transaction with a vendor. As another example, the custodian of the data repository 102 may receive revenue from the requesting exchange or vendor based on milestone transaction numbers. For example, the custodian may be paid a negotiated dollar amount for a negotiated number of transactions (e.g., $100 for every 500 transactions completed using an information account).
The more information accounts 110 that are in existence, the more transactions that are likely to occur in commerce. Accordingly, the custodian of the data repository 102 may choose to implement various revenue sharing models in order to financially encourage vendors and other entities to promote and/or sponsor information accounts 110. As an example, a revenue sharing model may specify that a lifetime revenue stream be paid to the originating vendor or entity that is credited with facilitating the creation of an information account 110. A lifetime revenue stream may be effective for the life of the information account 110 and may take the form of a credit issued to the originating vendor or entity each time that information account 110 is used to complete a transaction. A credit may amount to a percentage (anywhere from 0% to 100%) of the revenue earned by the custodian of the data repository 102 in connection with the transaction, or an otherwise arranged fee. Revenue sharing models may also specify that credits be paid by the custodian of the data repository 102 to a transacting vendor or entity that accepts consumer information elements from an information account 110 in order to complete a transaction.
In the context of exchanges and branded information accounts, the amounts credited to originating entities and transacting entities may vary depending on the particular exchange and/or which brand of branded information account was used in order to complete a transaction. For example, referring back to
Revenue sharing models may further include credits paid to OEMs, consultants, software providers and/or any other party who facilitates the creation and/or construction of an exchange, introduces information accounts 110 to an exchange, or otherwise assists the custodian of the central data repository 102 in increasing its revenue base.
An extraction module 1004 may be used to facilitate the extraction of transaction information from a transaction log 1002. The extraction module 1004 may be executed by the host server 108 or by another network device that is in communication with the host server 108 or the central data repository 102. The extraction module 1004 may be employed to extract selected transaction information from the transaction log 1002 and to translate or transform the extracted transaction information into a format that can be interpreted by a financial processing system 1006. Thus, in certain embodiments, the extraction module 1004 may be configured to extract transaction data elements from a tagged data stream representing or associated with an information account 110. SOAP and/or other well-known protocols may be used by the extraction module 1004 to interface between the transaction log 1002 and the financial processing system 1006. The financial processing system 1006 may comprise any system for processing transaction information and revenue sharing models in order to ensure that the appropriate party is billed in connection with a transaction involving an information account and that revenues are shared with the appropriate parties. By way of example only, the financial processing system may be a custom software module or an off-the-shelf software package, such as the well-known “Oracle Financials” package.
Those skilled in the art will appreciate that the system components and arrangement thereof shown in
In connection with the creation of an information account 110, a consumer may be provided with consumer authentication information, which may include, for example, a username, password, user ID, biometric, challenge word, phrase or response, etc. This consumer authentication information may be stored in the consumer's information account 110, along with other authentication-related information such as, for example, email address, access attempts, last attempt date/time, challenge query, ticket parameters, vendor credited with origination of the information account, etc. In certain embodiments as disclosed herein, a single sign-on mechanism (also referred to herein as a single sign-on feature) may be provided to allow a consumer to “sign-on” (i.e., to provide consumer authentication information as may be required) for authentication to securely access an information account 110 at a first website. Since a consumer's information account 110 may be accessible from more than one website, the authentication status may be handled in such a way so as to “follow” the consumer as the consumer accesses subsequent websites. At such subsequent websites, a consumer who has activated the single sign-on mechanism need not re-enter authentication information, assuming certain conditions are present.
A preferred single sign-on mechanism can be implemented, in certain embodiments, without requiring a manual download or installation of any program modules on the consumer's client device 104. Nor does the single sign-on mechanism, at least in a preferred embodiment, require “add-ons”, “cookies” or other special configurations for a web browser, although such features may optionally be utilized in connection with or in addition to a single sign-on mechanism as disclosed herein. A preferred single sign-on mechanism is managed at the client device 104 via one or more client-side applications 105 that are loaded into the browser 112 along with web page files 116 that comprise a consumer information account-enabled website. Applets (e.g., JAVA applets) are particularly well-suited for use as client-side applications 105 in this context, due to their platform independent nature. In an exemplary embodiment of the single sign-on mechanism, a client-side application 105 (e.g., applet) may communicate with the host server 108 to determine whether the user has already been authenticated, and if so, to cause the log-in interface to be by-passed. Re-authentication may thereby be performed automatically by way of the client-side application 105.
After the client device 104 has downloaded the information account-enabled web page file 116, the user may activate an access/create link 908 of the consumer information account-enabled displayed web page file 116 and, assuming that the single sign-on feature is not activated, may subsequently supply consumer authentication information (e.g., username/password, etc.) via a sign-on interface in order to request access to an information account 110. At step 1102, the client-side application 105 responsible for authentication receives the consumer authentication information supplied by the user. Then, at step 1104 the client-side application 105 determines a browser identifier that uniquely identifies the browser from which the sign-on request was initiated and the sign-on time (i.e., the time the sign-on request was initiated.) The browser identifier may comprise any unique identification code, such as a product serial number (relating to hardware or software), a dynamically generated alphanumeric string, etc. The sign-on time may be determined, for example, by interacting with a clock function executed by the client device 104. It is expected that the client device 104 (a personal computer, for example, has a system clock from which the current time may be read. However, it is also possible that to obtain the current time from a remote site across the network 106. The sign-on time may be stored as wither an absolute time value, or else as a relative time value with respect to a known reference time.
Those skilled in the art will appreciate that any equipment identifier that uniquely identifies the client device 104 may be substituted for the browser identifier. For example, mobile client devices 104a, such as network-enabled telephones, PDA, portable computers and the like may be assigned unique equipment identifiers, which may be static or dynamic. A client-side application 105 may thus be configured to determine any unique equipment identifier and to transmit that unique equipment identifier to the host server 108. Furthermore, an equipment identifier may be generated or determined at the network device 104 or may be received from another source, such as the host server 108, a certificate authority or some other authentication entity. Accordingly, any reference herein to a browser identifier is intended merely to provide an example of certain embodiments of the present invention and is not intended to limit the scope thereof.
The order in which the client-side application 105 receives or determines the consumer authentication information, the browser identifier and the sign-on time may vary in different embodiments. For example, in some embodiments the browser identifier may always be determined first and used to determine if the single sign-on feature was previously activated, while in other embodiments a different sequence may be employed. Accordingly, the sequence of exemplary steps 1102–1104 is not intended to be limiting.
At step 1106 the consumer authentication information, the browser identifier, the sign-on time and any other information associated with the sign-on process are stored in an authentication table 113, which is preferably maintained at the host server 108. Accordingly, the client-side application 105 may transmit the consumer authentication information, the browser identifier, the sign-on time, etc. to the host server 108. The host server 108 may utilize the database management system 109 for interacting with the authentication table 113. The authentication table 113 may alternatively be stored in another location accessible by the host server 108, such as the data repository 102, or another network server. Once authenticated, the consumer can access the information account 110 via the vendor web-site 114 using the client device 104.
In continuing to operate the browser 112 to access web page files 116 via the network 106, the user may access a subsequent web-site that requires sign-on and authentication to access the consumer information account 110. Like before, upon accessing a new vendor web-site 114, the client device 104 may download an information account-enabled web-page file 116 that is displayed by the browser 112, and the web-page file 116 may include an instruction (e.g., a “call”) that causes the browser 112 to download and execute one or more client-side applications 105. The client-side application 105 responsible for authentication detects a subsequent request for access to the consumer information account 110 via the subsequent web-site at step 1108. As an example, the subsequent request for access to the consumer information account 110 may occur when the user activates an access/create link 908 of the subsequent web-site. When the request for access to the consumer information account 110 is detected, the client-side application 105 determines a browser identifier at step 1110. At step 1112, the browser identifier (as determined at step 1110) may be used to look up the associated consumer authentication information and previous sign-on time stored in the authentication table 113. In particular, the client-side application 105 may transmit the browser identifier (as determined at step 1110) to the database management system 109 at the host server 108, which may access the authentication table 113 to determine the username, password, previous sign-on time, etc. associated with the browser identifier, if any.
Assuming that consumer authentication information was determined to be associated with the browser identifier, the method next moves to step 1114, where a determination is made as to whether the single sign-on feature is activated. In certain exemplary embodiments, the authentication table 113 may also associate certain preferences with the browser identifier, consumer authentication information, sign-on time, etc. A preference may indicate, for example, whether the user has opted to activate or deactivate the single sign-on feature. By way of example, a dialog box or other interface may be presented to the user during the initial sign-on requesting input from the user as to whether the single sign-on feature should be activated. If single sign-on activation is optional, the database management system 109 (or other responsible network component) may be configured to access the authentication table 113 to determine whether a preference associated with the browser identifier (as determined at step 1110) indicates that the user had previously activated the single sign-on mechanism. Once activated, the single sign-on feature may be automatically deactivated upon the occurrence of certain terminating events, such as the end of a browser session, a manual sign-off (logout) by the user, the expiration of a time-out interval (see step 1120 below), etc. The user may also be provided with the option to manually deactivate the single sign-on feature.
If the single sign-feature has not been activated, the method advances to step 1116, whereupon the user is prompted to sign-on again for further access to the information account 110. The user may optionally be prompted with a choice to activate the single sign-on feature during the sign-on process. After the user signs-on via the subsequent web-site, the method returns to step 1104 where the browser identifier and sign-on time are again determined. The method is then repeated from step 1104, as described above.
On the other hand, if the single sign-on feature has been activated, the method advances from step 1114 to step 1118, whereupon the authentication table 113 is consulted to look up the consumer authentication information and determine if and when the user had been previously authenticated by, for example, determining whether the current browser identifier (as determined at step 1110) matches the most recently stored browser identifier in the authentication table 113. If the browser identifiers do not match, or other specified criteria are not met, the user is considered to not have been previously authenticated and the method proceeds to step 1116 where the user is prompted to sign-on again for further access to the information account 110. If, however, the browser identifiers match, or other specified criteria are met, the consumer is considered to have been previously authenticated and the method advances to step 1120, where it is determined whether an authentication time-out interval has expired.
An authentication time-out interval may be defined, according to one example, as the maximum permitted duration of time between the occurrence of an event and a subsequent request for access to the information account 110. The event defining the starting point from which the time-out interval will be calculated may be the first manual sign-on, the most previous sign-on (manual or automatic) or other non-sign-on related events. Those skilled in the art will appreciate that the duration of the time-out interval may be specified globally or otherwise by a system administrator or other entity charged with maintaining the data repository 102. When the subsequent request for access to the information account is initiated by the user, the elapsed time between the current time and the occurrence of the starting point event (e.g., the previous sign-on time) may be determined. If that elapsed time is greater than the duration of the time-out interval, the time-out interval may be considered to have expired. In the preferred embodiment, the time-out interval may be used to enhance the security of the single sign-on mechanism, forcing the user to sign-on again if too much time has elapsed between consecutive sign-on attempts, for example.
If it is determined at step 1120 that the time-out interval has expired, the method proceeds to step 1116 where the user is prompted to sign-on again for further access to the information account 110. From step 1116 the method returns to step 1104 and is repeated as previously described. However, if it is determined at step 1120 that the time-out interval has not expired, the method advances to step 1122. At step 1122, the vendor server 114 that hosts the subsequent web-site is alerted that the user's previous authentication status remains valid, thus causing the vendor server 114 to by-pass any sign-on interface associated with the information account 110. As an example, the client-side application 105 may receive a message from the host server 108 indicating that the user's previous authentication status remains valid and may pass that message to the vendor server 108 or may generate an instruction that causes the vendor server 108 to by-pass any sign-on interface associated with the information account 110. After an automatic sign-on at step 1122, the method returns to step 1108 to await detection of another request for access to the consumer information account 110 via a subsequent web-site that requires sign-on to access the information account 110.
Although the single sign-on feature has, in certain instances, been described as being implemented by way of communications between the host server 108 and a client device 104 (e.g., via a client-side application 105), those skilled in the art will appreciate that single sign-on feature may alternately be implemented by way of communications between the host server 108 and a vendor server 114 that hosts a web-site configured to provide access to the central data repository 102 upon authentication of the consumer. Analogously to execution of the client-side applications 105 by the client device 104, the vendor server 114 may execute one or more server-side applications 107 for managing communications with the host server 108 and conducting authentication thereby. Accordingly, one or more server-side applications 107 may be configured to perform the functions of the single sign-on feature, or functions similar thereto, that are described above with respect to one or more client-side applications 105. In implementing the single sign-on feature through use of server-side applications 107, vendor authentication information and/or an equipment identifier or APPID associated with the vendor server 114 may be transmitted to the host server 108, as appropriate. The vendor server may also communicate with the client device to receive consumer authentication information and/or a browser identifier, if needed.
As mentioned, once the user is authenticated to access the information account 110, selected consumer information elements may be filtered from the information account 110 and integrated into a vendor's business process on behalf of the user. As an example, the selected consumer information elements may include authentication information (usernames, passwords, biometrics, etc.) that is needed to access secure areas of vendor web-sites. Thus, after the user has successfully signed-on to the information account 110, subsequent authentications of the user for access to the information account 110 may be handled automatically by the single sign-on feature and other consumer authentication information may be auto-populated into sign-on interfaces of secure web-sites on behalf of the consumer. The present invention therefore reduces the consumer's need to repeatedly supply the consumer authentication information for accessing the information account 110 and can virtually eliminate the consumer's need to supply other authentication information for accessing other secure web-sites.
From a reading of the description above pertaining to various exemplary embodiments, many other modifications, features, embodiments and operating environments of the present invention will become evident to those of skill in the art. The features and aspects of the present invention have been described or depicted by way of example only and are therefore not intended to be interpreted as required or essential elements of the invention. It should be understood, therefore, that the foregoing relates only to certain exemplary embodiments of the invention, and that numerous changes and additions may be made thereto without departing from the spirit and scope of the invention as defined by any appended claims.
Steele, Nick, Hawkins, Stan, Maranville, Joe, Bradnan, Andrew
Patent | Priority | Assignee | Title |
10027611, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Method and apparatus for classifying electronic messages |
10042919, | Feb 20 2003 | SONICWALL US HOLDINGS INC | Using distinguishing properties to classify messages |
10135810, | Nov 17 2016 | ADP, INC | Selective authentication system |
10229410, | Feb 28 2008 | AT&T Intellectual Property I, L P | Method and device for end-user verification of an electronic transaction |
10298594, | Jun 16 2004 | Callahan Cellular L.L.C. | Graduated authentication in an identity management system |
10484358, | May 05 2017 | ServiceNow, Inc | Single sign-on user interface improvements |
10567391, | Jun 16 2004 | Callahan Cellular L.L.C. | Graduated authentication in an identity management system |
10733246, | Dec 08 2011 | Comcast Cable Communications, LLC | System and method for identifying a user |
10735400, | Feb 13 2018 | VMware, Inc.; VMWARE, INC | Mechanism of passing security tokens through both untrusted and validating intermediaries |
10785176, | Feb 20 2003 | SonicWALL Inc. | Method and apparatus for classifying electronic messages |
10904262, | Jun 16 2004 | Callahan Cellular L.L.C. | Graduated authentication in an identity management system |
11140147, | May 05 2017 | ServiceNow, Inc. | SAML SSO UX improvements |
11151516, | Jan 30 2007 | Utilizing cross-network identity data for customized content | |
11157580, | Dec 08 2011 | Comcast Cable Communications, LLC | System and method for identifying a user |
11216756, | Aug 19 2008 | International Business Machines Corporation | Mapping portal applications in multi-tenant environment |
11341498, | Feb 28 2008 | AT&T Intellectual Property I, L P | Method and device for end-user verification of an electronic transaction |
11824869, | Jun 16 2004 | Callahan Cellular L.L.C. | Graduated authentication in an identity management system |
11836706, | Apr 16 2012 | STICKY IO, INC | Systems and methods for facilitating a transaction using a virtual card on a mobile device |
7164907, | Jan 13 2004 | Qualcomm Incorporated | Automated over the air plug-in device recognition and software driver download |
7191467, | Mar 15 2002 | Microsoft Technology Licensing, LLC | Method and system of integrating third party authentication into internet browser code |
7194547, | Apr 07 2001 | Proofpoint, Inc | Federated authentication service |
7200864, | Sep 04 2002 | Intellectual Ventures II LLC | Systems and methods for universal password control |
7305470, | Feb 12 2003 | Meta Platforms, Inc | Method for displaying web user's authentication status in a distributed single login network |
7350229, | Mar 07 2001 | Computer Associates Think, Inc | Authentication and authorization mapping for a computer network |
7406502, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Method and system for classifying a message based on canonical equivalent of acceptable items included in the message |
7412720, | Nov 02 2001 | Oracle International Corporation | Delegated authentication using a generic application-layer network protocol |
7447494, | Feb 05 2004 | 7611544 CANADA INC | Secure wireless authorization system |
7469271, | Feb 12 2002 | Canon Kabushiki Kaisha | System, method, program and storage medium for providing service |
7500262, | Apr 29 2002 | Citrix Systems, Inc | Implementing single sign-on across a heterogeneous collection of client/server and web-based applications |
7539726, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message testing |
7562122, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message classification using allowed items |
7636852, | Oct 07 2004 | T-MOBILE INNOVATIONS LLC | Call center dashboard |
7698375, | Jul 21 2004 | International Business Machines Corporation | Method and system for pluggability of federation protocol runtimes for federated user lifecycle management |
7698735, | Mar 15 2002 | Microsoft Technology Licensing, LLC | Method and system of integrating third party authentication into internet browser code |
7788376, | Feb 12 2003 | Meta Platforms, Inc | Method for displaying web user's authentication status in a distributed single login network |
7853525, | Jul 15 2003 | Microsoft Technology Licensing, LLC | Electronic draft capture |
7865931, | Nov 25 2002 | Accenture Global Services Limited | Universal authorization and access control security measure for applications |
7882189, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Using distinguishing properties to classify messages |
7908330, | Mar 11 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message auditing |
7921204, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message testing based on a determinate message classification and minimized resource consumption |
8006298, | Jul 11 2006 | Sprint Communications Company L.P. | Fraud detection system and method |
8095972, | Oct 06 2008 | Southern Company Services, Inc. | Secure authentication for web-based applications |
8108477, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message classification using legitimate contact points |
8112486, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Signature generation using message summaries |
8117649, | Jun 06 2002 | CALLAHAN CELLULAR L L C | Distributed hierarchical identity management |
8161157, | Feb 12 2003 | Meta Platforms, Inc | Method for displaying web user's authentication status in a distributed single login network |
8161184, | Jun 25 2004 | Apple Inc | Method and apparatus for facilitating long-lived DNS queries |
8181225, | Dec 16 2004 | International Business Machines Corporation | Specializing support for a federation relationship |
8185937, | Sep 04 2002 | Intellectual Ventures II LLC | Systems and methods for universal password control |
8190757, | Mar 31 2009 | GEN DIGITAL INC | Systems and methods for automatically binding client-side applications with backend services |
8190883, | Feb 26 2007 | Picup, LLC | Network identity management system and method |
8190884, | Feb 26 2007 | PICU, LLC | Network identity management system and method |
8195819, | Jul 13 2009 | T-MOBILE INNOVATIONS LLC | Application single sign on leveraging virtual local area network identifier |
8201217, | Oct 03 2006 | AUCTANE, INC | Systems and methods for single sign-in for multiple accounts |
8230088, | Oct 18 1999 | Cisco Technology, Inc. | Remote computer system management through an FTP internet connection |
8249925, | Jun 23 2010 | Managed Audience Share Solutions LLC | Methods, systems, and computer program products for managing organized binary advertising asset markets |
8260806, | Aug 04 2000 | CXT SYSTEMS, INC | Storage, management and distribution of consumer information |
8266215, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Using distinguishing properties to classify messages |
8271603, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Diminishing false positive classifications of unsolicited electronic-mail |
8296382, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Efficient use of resources in message classification |
8381279, | Feb 13 2009 | Microsoft Technology Licensing, LLC | Constraining a login to a subset of access rights |
8396926, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message challenge response |
8438159, | Jun 25 2003 | CROWDSTRIKE, INC | Method and system for selecting advertisements to be presented to a viewer |
8442859, | Dec 23 2011 | Managed Audience Share Solutions LLC | Methods, systems, and computer program products for optimizing liquidity and price discovery in advertising markets |
8443429, | May 24 2010 | T-MOBILE INNOVATIONS LLC | Integrated sign on |
8463861, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message classification using legitimate contact points |
8484301, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Using distinguishing properties to classify messages |
8490168, | Oct 12 2005 | AT&T Properties, LLC; AT&T INTELLECTUAL PROPERTY II, L P | Method for authenticating a user within a multiple website environment to provide secure access |
8504704, | Jun 16 2004 | CALLAHAN CELLULAR L L C | Distributed contact information management |
8527752, | Jun 16 2004 | CALLAHAN CELLULAR L L C | Graduated authentication in an identity management system |
8549300, | Feb 23 2010 | Pulse Secure, LLC | Virtual single sign-on for certificate-protected resources |
8560836, | Jan 09 2003 | CROWDSTRIKE, INC | Method and system for dynamically implementing an enterprise resource policy |
8566248, | Aug 04 2000 | CXT SYSTEMS, INC | Initiation of an information transaction over a network via a wireless device |
8613059, | Dec 18 2009 | WORKDAY, INC | Methods, systems and computer program products for secure access to information |
8640211, | Sep 04 2002 | Intellectual Ventures II LLC | System and methods for universal password control |
8688794, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Signature generation using message summaries |
8700788, | Aug 18 2006 | SmartIcon Technologies, LLC | Method and system for automatic login initiated upon a single action with encryption |
8732256, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message challenge response |
8745046, | Jun 25 2003 | CROWDSTRIKE, INC | Method and system for selecting content items to be presented to a viewer |
8806207, | Dec 21 2007 | Cocoon Data Holdings Limited | System and method for securing data |
8832787, | Apr 29 2002 | Citrix Systems, Inc | Implementing single sign-on across a heterogeneous collection of client/server and web-based applications |
8875258, | Feb 13 2009 | Microsoft Technology Licensing, LLC | Constraining a login to a subset of access rights |
8898238, | Jul 16 2002 | SonicWall, Inc. | Active e-mail filter with challenge-response |
8924484, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Active e-mail filter with challenge-response |
8924707, | Apr 28 2009 | Hewlett Packard Enterprise Development LP | Communicating confidential information between an application and a database |
8925052, | Jul 26 2006 | AT&T Intellectual Property I, L.P. | Application integration |
8935348, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message classification using legitimate contact points |
8959652, | Jun 16 2004 | CALLAHAN CELLULAR L L C | Graduated authentication in an identity management system |
8990312, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Active e-mail filter with challenge-response |
8996867, | Feb 28 2008 | AT&T LABS, INC | Method and device for end-user verification of an electronic transaction |
9021039, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message challenge response |
9059987, | Apr 04 2013 | T-MOBILE INNOVATIONS LLC | Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network |
9087180, | Oct 12 2006 | International Business Machines Corporation | Control of access to a secondary system |
9189516, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Using distinguishing properties to classify messages |
9215198, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Efficient use of resources in message classification |
9245266, | Jun 16 2004 | CALLAHAN CELLULAR L L C | Auditable privacy policies in a distributed hierarchical identity management system |
9298903, | Mar 16 2013 | International Business Machines Corporation | Prevention of password leakage with single sign on in conjunction with command line interfaces |
9313158, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Message challenge response |
9325649, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Signature generation using message summaries |
9398020, | Jun 16 2004 | CALLAHAN CELLULAR L L C | Graduated authentication in an identity management system |
9432404, | Jan 09 2003 | CROWDSTRIKE, INC | System for managing access to protected resources |
9438559, | Jan 09 2003 | CROWDSTRIKE, INC | System for managing access to protected resources |
9485239, | Apr 29 2002 | Citrix Systems, Inc. | Implementing single sign-on across a heterogeneous collection of client/server and web-based applications |
9503406, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Active e-mail filter with challenge-response |
9524334, | Feb 20 2003 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Using distinguishing properties to classify messages |
9558341, | Apr 13 2006 | T-MOBILE INNOVATIONS LLC | Integrated user profile administration tool |
9577990, | Dec 21 2005 | International Business Machines Corporation | Control of access to a secondary system |
9596237, | Dec 14 2010 | STICKY IO, INC | System and method for initiating transactions on a mobile device |
9674126, | Jul 16 2002 | QUEST SOFTWARE INC F K A DELL SOFTWARE INC ; Aventail LLC | Efficient use of resources in message classification |
9756028, | Dec 18 2009 | WORKDAY, INC | Methods, systems and computer program products for secure access to information |
9928508, | Aug 04 2000 | CXT SYSTEMS, INC | Single sign-on for access to a central data repository |
Patent | Priority | Assignee | Title |
5774551, | Aug 07 1995 | Oracle America, Inc | Pluggable account management interface with unified login and logout and multiple user authentication services |
5794259, | Jul 25 1996 | Lextron Systems, Inc | Apparatus and methods to enhance web browsing on the internet |
5815665, | Apr 03 1996 | Microsoft Technology Licensing, LLC | System and method for providing trusted brokering services over a distributed network |
5872850, | Jun 30 1995 | Microsoft Technology Licensing, LLC | System for enabling information marketplace |
5911141, | Nov 07 1995 | International Business Machines Corporation | On-line hierarchical form records identification |
6005939, | Dec 06 1996 | GOOGLE LLC | Method and apparatus for storing an internet user's identity and access rights to world wide web resources |
6073106, | Oct 30 1997 | WELLMED, INC | Method of managing and controlling access to personal information |
6125352, | Jun 28 1996 | Microsoft Technology Licensing, LLC | System and method for conducting commerce over a distributed network |
6154768, | Mar 30 1998 | International Business Machines Corporation | System and method for negotiating functions and features |
6192380, | Mar 31 1998 | Intel Corporation | Automatic web based form fill-in |
6199079, | Mar 09 1998 | Amazon Technologies, Inc | Method and system for automatically filling forms in an integrated network based transaction environment |
6208659, | Dec 22 1997 | BlackBerry Limited | Data processing system and method for providing personal information in a communication network |
6233608, | Dec 09 1997 | UNWIRED PLANET IP MANAGER, LLC; Unwired Planet, LLC | Method and system for securely interacting with managed data from multiple devices |
6247029, | May 01 1998 | International Business Machines Corporation | Web browser form enhancements |
6253203, | Oct 02 1998 | NCR Voyix Corporation | Privacy-enhanced database |
6298347, | Aug 25 1998 | NUMODA TECHNOLOGIES, INC | System and method for remote data entry |
20010011250, | |||
20020002684, | |||
WO146783, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Oct 09 2001 | enfoTrust Networks, Inc. | (assignment on the face of the patent) | / | |||
Dec 20 2001 | MARANVILLE, JOE | ENFO TRUST NETWORKS, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012556 | /0100 | |
Dec 20 2001 | HAWKINS, STAN | ENFO TRUST NETWORKS, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012556 | /0100 | |
Dec 20 2001 | STEELE, NICK | ENFO TRUST NETWORKS, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012556 | /0100 | |
Jan 02 2002 | BRADNAN, ANDREW | ENFO TRUST NETWORKS, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012556 | /0100 | |
Sep 18 2006 | ENFOTRUST NETWORKS, INC | Guardian Networks, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 019297 | /0293 | |
Sep 04 2007 | ENFOTRUST NETWORKS, LLC | Guardian Networks, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 019773 | /0788 | |
Sep 21 2007 | Guardian Networks, LLC | GRDN NET SOLUTIONS, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 019920 | /0579 | |
Sep 05 2014 | GRDN NET SOLUTIONS, LLC | Intellectual Ventures I LLC | MERGER SEE DOCUMENT FOR DETAILS | 033727 | /0727 | |
Jan 12 2018 | Intellectual Ventures I LLC | INTELLECTUAL VENTURES ASSETS 71 LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 045016 | /0258 | |
Jan 26 2018 | INTELLECTUAL VENTURES ASSETS 71 LLC | CXT SYSTEMS, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 045681 | /0730 | |
Feb 01 2018 | INTELLECTUAL VENTURES ASSETS 71 LLC | CXT SYSTEMS, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 045681 | /0796 |
Date | Maintenance Fee Events |
Aug 21 2009 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Sep 03 2009 | STOL: Pat Hldr no Longer Claims Small Ent Stat |
Sep 04 2009 | R2551: Refund - Payment of Maintenance Fee, 4th Yr, Small Entity. |
Feb 22 2011 | ASPN: Payor Number Assigned. |
Feb 22 2011 | RMPN: Payer Number De-assigned. |
Aug 26 2013 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Aug 29 2017 | M1553: Payment of Maintenance Fee, 12th Year, Large Entity. |
Date | Maintenance Schedule |
Mar 21 2009 | 4 years fee payment window open |
Sep 21 2009 | 6 months grace period start (w surcharge) |
Mar 21 2010 | patent expiry (for year 4) |
Mar 21 2012 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 21 2013 | 8 years fee payment window open |
Sep 21 2013 | 6 months grace period start (w surcharge) |
Mar 21 2014 | patent expiry (for year 8) |
Mar 21 2016 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 21 2017 | 12 years fee payment window open |
Sep 21 2017 | 6 months grace period start (w surcharge) |
Mar 21 2018 | patent expiry (for year 12) |
Mar 21 2020 | 2 years to revive unintentionally abandoned end. (for year 12) |